Interval-based flow watermarking for tracing interactive traffic

Tracing interactive attack traffic that traverses stepping stones (i.e., intermediate hosts) is challenging, as the packet headers, lengths, and contents can all be changed by the stepping stones. The traffic timing (delays between packets) has therefore been studied as a means of tracing traffic. One such technique uses traffic timing as a side channel into which a watermark, or identifying tag, can be embedded to aid with tracing. The effectiveness of such techniques is greatly reduced when the packet count of the traffic is changed at the stepping stone. Such transformations may occur as a result of either active countermeasures (e.g. chaff packets, flow splitting) by an adversary attempting to defeat tracing, or by incidental repacketization of the traffic by network interfaces.This paper presents a new method of embedding a watermark in traffic timing, for purposes of tracing the traffic in the presence of flow splitting, chaff packets, timing perturbation, and repacketization. This method uses an invariant characteristic of two connection flows which are part of the same stepping stone chain, namely, the elapsed time of the flows. The duration of each flow is sliced into short fixed-length intervals. Packet timing is adjusted to manipulate the packet count in specific intervals (without adding or deleting any packets), for purposes of embedding the watermark. The method is self-synchronizing and does not require clock synchronization between the watermark encoder and decoder.A statistical analysis of the method, with no assumptions or limitations concerning the distribution of packet times, proves the effectiveness of the method given a sufficient number of packets, despite natural and/or deliberate repacketization and countermeasures by an adversary. The method has been implemented and tested on a large number of SSH traffic flows. The results demonstrate that 100% detection rates and very low false positive rates are achieved under conditions of multiple countermeasures, and using only a few hundred packets.     

网络流水印技术研究进展

网络流水印技术作为一种主动流量分析手段,可有效追踪恶意匿名通信使用者与跳板链后的真实攻击者,具有准确率高、误报率低和观测时间短等优点,在攻击源追踪、网络监管和攻击取证等领域有着重要应用。首先阐述网络流水印技术的基本框架及主要特点,接着对当前基于包载荷、基于流速率和基于包时间的典型网络流水印技术进行简要介绍,然后概述针对网络流水印技术的时间分析攻击、多流攻击和均方自相关攻击等主要攻击手段与反制对策,最后对网络流水印技术的发展前景进行展望。     

Statistically Robust Detection of Multiplicative Spread-Spectrum Watermarks

The uncertainties in host signal modeling due to inherent model errors and various attack distortions have prompted the introduction of robust statistics theory in the context of watermark detection. Specifically, the epsi-contamination model was applied to describe the host signals, and statistically robust (SR) watermark detectors assuming known embedding strengths were derived. In this work, we investigate the robust detection structure for multiplicative watermarking. A detection-simulation (DS)-based approach to determine the contamination factor is also presented. Moreover, considering that the strengths of the watermark signals may be adapted to host signals and will very likely change after being distorted by attacks, we go further to propose the asymptotically robust detector for multiplicative watermarks, which can be viewed as the SR counterpart of the locally most powerful watermark detector in the same sense that the SR detector with full knowledge of the watermark strengths is the corresponding parallel for the optimum detector. Experiments on real images demonstrate the superiority of the new schemes over the conventional ones     

Ant-based IP traceback

The denial-of-service (DoS) attacks with the source IP address spoofing techniques has become a major threat to the Internet. An intrusion detection system is often used to detect DoS attacks and to coordinate with the firewall to block them. However, DoS attack packets consume and may exhaust all the resources, causing degrading network performance or, even worse, network breakdown. A proactive approach to DoS attacks is allocating the original attack host(s) issuing the attacks and stopping the malicious traffic, instead of wasting resources on the attack traffic.

In this paper, an ant-based traceback approach is proposed to identify the DoS attack origin. Instead of creating a new type or function or processing a high volume of fine-grained data used by previous research, the proposed traceback approach uses flow level information to identify the origin of a DoS attack.

Two characteristics of ant algorithm, quick convergence and heuristic, are adopted in the proposed approach on finding the DoS attack path. Quick convergence efficiently finds out the origin of a DoS attack; heuristic gives the solution even though partial flow information is provided by the network.

The proposed method is evaluated through simulation on various network environments and two simulated real networks, NSFNET and DFN. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments, with full and partial flow information provided by the networks.     

IP追踪中的新分片标记方法

本文基于分片标记的基本原理,提出了一种新的分片标记方法NFMS,并通过模拟实验对攻击源定位方案的时效性、定位大范围DDoS攻击的性能、网络负载、负载处理、部署代价等作了分析和讨论,结果表明新的分片标记方法具有较低的网络负载和计算负载,并且反向定位所需报文个数大大减少,对DoS攻击可达到快速准确的定位,对于小范围的DDoS也具有较好的定位特性.     

An interval centroid based spread spectrum watermarking scheme for multi-flow traceback

Network flow watermarking schemes have been proposed to trace network attacks in the presence of stepping stones or anonymized channels. Most existing interval-based watermarking schemes are not only ineffective in tracing multiple network flows in parallel due to severe inter-flow interference in practice but also vulnerable to the newly introduced watermarking attacks. By combining the Interval Centroid Based Watermarking (ICBW) modulation approach with the Spread Spectrum (SS) watermarking coding technique, we herein propose an Interval Centroid Based Spread Spectrum Watermarking scheme (ICBSSW) for efficiently tracing multiple network flows in parallel. Based on our proposed theoretical model, a statistical analysis of ICBSSW, with no assumptions or limitations concerning the distribution of packet times, proves its effectiveness and robustness against inter-flow interference. ICBSSW can thwart multi-flow attacks by utilizing multiple Pseudo-Noise (PN) codes as random seeds for randomizing the location of the embedded watermark across multiple flows. The experiments using a large number of synthetically generated secure shell (SSH) traffic flows demonstrate that ICBSSW can efficiently trace multiple flows simultaneously and achieve robustness against inter-flow interference. Furthermore, our approach can be applied to other interval-based flow watermarking schemes besides ICBW for effective and efficient multi-flow traceback.     

A router-based technique to mitigate reduction of quality (RoQ) attacks

We propose a router-based technique to mitigate the stealthy reduction of quality (RoQ) attacks at the routers in the Internet. The RoQ attacks have been shown to impair the QoS sensitive VoIP and the TCP traffic in the Internet. It is difficult to detect these attacks because of their low average rates. We also show that our generalized approach can detect these attacks even if they employ the source IP address spoofing, the destination IP address spoofing, and undefined periodicity to evade several router-based detection systems. The detection system operates in two phases: in phase 1, the presence of the RoQ attack is detected from the readily available per flow information at the routers, and in phase 2, the attack filtering algorithm drops the RoQ attack packets. Assuming that the attacker uses the source IP address and the destination IP address spoofing, we propose to detect the sudden increase in the traffic load of all the expired flows within a short period. In a network without RoQ attacks, we show that the traffic load of all the expired flows is less than certain thresholds, which are derived from real Internet traffic analysis. We further propose a simple filtering solution to drop the attack packets. The filtering scheme treats the long-lived flows in the Internet preferentially, and drops the attack traffic by monitoring the queue length if the queue length exceeds a threshold percent of the queue limit. Our results show that we can successfully detect and mitigate RoQ attacks even with the source and destination IP addresses spoofed. The detection system is implemented in the ns2 simulator. In the simulations, we use the flowid field available in ns2 to implement per-flow logic, which is a combination of the source IP address, the destination IP address, the source port, and the destination port. We also discuss the real implementation of the proposed detection system.     

Traceback in wireless sensor networks with packet marking and logging

In a hostile environment, sensor nodes may be compromised and then be used to launch various attacks. One severe attack is false data injection which is becoming a serious threat to wireless sensor networks. An attacker uses the compromised node to flood the network and exhaust network resources by injecting a large number of bogus packets. In this paper, we study how to locate the attack node using a framework of packet marking and packet logging. We propose a combined packet marking and logging scheme for traceback (CPMLT). In CPMLT, one packet can be marked by up to M nodes, each node marks a packet with certain probability. When one packet is marked by M nodes, the next marking node will log this packet. Through combining packet marking and logging, we can reconstruct the entire attack path to locate the attack node by collecting enough packets. In our simulation, CPMLT achieves fast traceback with little logging overhead.     

基于流谱理论的SSL/TLS协议攻击检测方法

网络攻击检测在网络安全中扮演着重要角色.网络攻击检测的对象主要为僵尸网络、SQL注入等攻击行为.随着安全套接层/安全传输层(SSL/TLS)加密协议的广泛使用,针对SSL/TLS协议本身发起的SSL/TLS攻击日益增多,因此通过搭建网络流采集环境,构建了包含4种SSL/TLS攻击网络流与正常网络流的网络流数据集.针对当...     

Enhanced Internet security by a distributed traffic control service based on traffic ownership

The frequency and intensity of Internet attacks are rising at an alarming pace. Several technologies and concepts were proposed for fighting distributed denial of service (DDoS) attacks: traceback, pushback, i3, SOS and Mayday. This paper shows that in the case of DDoS reflector attacks they are either ineffective or even counterproductive. We then propose the novel concept of traffic ownership and describe a system that extends control over network traffic by network users to the Internet using adaptive traffic processing devices. We safely delegate partial network management capabilities from network operators to network users. All network packets with a source or destination address “owned” by a network user can now also be controlled within the Internet instead of only at the network user's Internet uplink. By limiting the traffic control features and by restricting the realm of control to the “owner” of the traffic, we can rule out misuse of this system. Applications of our system are manifold: prevention of source address spoofing, DDoS attack mitigation, distributed firewall-like filtering, new ways of collecting traffic statistics, service-level agreement validation, traceback, distributed network debugging, support for forensic analyses and many more. A use case illustrates how our system enables network users to prevent and react to DDoS attacks.     

On Reliability and Security of Randomized Detectors Against Sensitivity Analysis Attacks

Despite their popularity, spread spectrum schemes are vulnerable against sensitivity analysis attacks on standard deterministic watermark detectors. A possible defense is to use a randomized watermark detector. While randomization sacrifices some detection performance, it might be expected to improve detector security to some extent. This paper presents a framework to design randomized detectors with exponentially large randomization space and controllable loss in detection reliability. We also devise a general procedure to attack such detectors by reducing them into equivalent deterministic detectors. We conclude that, contrary to prior belief, randomization of the detector is not the ultimate answer for providing security against sensitivity analysis attacks in spread spectrum systems. Instead, the randomized detector inherits the weaknesses of the equivalent deterministic detector.      

连续水印检测的性能分析与改进

在水印检测中,通常使用固定长度的样本,即检测时需要大量的待检测样本,这对于多水印检测和视频水印检测是不合适的。为此,研究连续水印检测,并设计改进方法。在对连续水印检测理论进行分析的基础上,发现操作特征函数指标及所需样本数量均与嵌入因子有关。该方法用局部神经网络对原图像进行估计,可以减小嵌入因子误差,提高连续水印检测性能。     

A self-aware approach to denial of service defence

Denial of service (DoS) attacks are a serious security threat for Internet based organisations, and effective methods are needed to detect an attack and defend the nodes being attacked in real time. We propose an autonomic approach to DoS defence based on detecting DoS flows, and adaptively dropping attacking packets upstream from the node being attacked using trace-back of the attacking flows. Our approach is based on the Cognitive Packet Network infrastructure which uses smart packets to select paths based on Quality of Service. This approach allows paths being used by a flow (including an attacking flow) to be identified, and also helps legitimate flows to find robust paths during an attack. We evaluate the proposed approach using a mathematical model, as well as using experiments in a laboratory test-bed. We then suggest a more sophisticated defence framework based on authenticity tests as part of the detection mechanism, and on assigning priorities to incoming traffic and rate-limiting it on the basis of the outcome of these tests.     

Pattern recognition for detecting distributed node exhaustion attacks in wireless sensor networks

Malicious attacks when launched by the adversary-class against sensor nodes of a wireless sensor network, can disrupt routine operations of the network. The mission-critical nature of these networks signifies the need to protect sensory resources against all such attacks. Distributed node exhaustion attacks are such attacks that may be launched by the adversarial class from multiple ends of a wireless sensor network against a set of target sensor nodes. The intention of such attacks is the exhaustion of the victim’s limited energy resources. As a result of the attack, the incapacitated data-generating legitimate sensor nodes are replaced with malicious nodes that will involve in further malicious activity against sensory resources. One such activity is the generation of fictitious sensory data to misguide emergency response systems to mobilize unwanted contingency activity. In this paper, a model is proposed for such an attack based on network traffic flow. In addition, a distributed mechanism for detecting such attacks is also defined. Specific network topology-based patterns are defined to model normal network traffic flow, and to facilitate differentiation between legitimate traffic packets and anomalous attack traffic packets. The performance of the proposed attack detection scheme is evaluated through simulation experiments, in terms of the size of the sensor resource set required for participation in the detection process for achieving a desired level of attack detection accuracy. The results signify the need for distributed pattern recognition for detecting distributed node exhaustion attacks in a timely and accurate manner.     

Noniterative Algorithms for Sensitivity Analysis Attacks

Sensitivity analysis attacks constitute a powerful family of watermark "removal" attacks. They exploit vulnerability in some watermarking protocols: the attacker's unlimited access to the watermark detector. This paper proposes a mathematical framework for designing sensitivity analysis attacks and focuses on additive spread-spectrum embedding schemes. The detectors under attack range in complexity from basic correlation detectors to normalized correlation detectors and maximum-likelihood (ML) detectors. The new algorithms precisely estimate and then eliminate the watermark from the watermarked signal. This is accomplished by exploiting geometric properties of the detection boundary and the information leaked by the detector. Several important extensions are presented, including the case of a partially unknown detection function, and the case of constrained detector inputs. In contrast with previous art, our algorithms are noniterative and require, at most, O(n) detection operations in order to precisely estimate the watermark, where n is the dimension of the signal. The cost of each detection operation is O(n); hence, the algorithms can be executed in quadratic time. The method is illustrated with an application to image watermarking using an ML detector based on a generalized Gaussian model for images     

CoMM:基于协作标记与缓解的实时IP反向追踪模型

实时性对于在DoS或DDoS网络攻击中发送假源地址包的主机进行IP反向追踪非常重要．提出一个IP实时反向追踪的模型CoMM（Cooperative Marking and Mitigation），在受害者主动参与和自治网络协调员的帮助下推测攻击路径，局部推测的攻击路径可以帮助受害者推测的攻击路径进行验证，上游路由器采取限速方式减小攻击程度的同时保证合法用户流量的传输和受害者正常推测攻击路径的流量需要，并有效的降低路由器参加追踪的开销．     

Novel hybrid schemes employing packet marking and logging for IP traceback

Tracing DoS attacks that employ source address spoofing is an important and challenging problem. Traditional traceback schemes provide spoofed packets traceback capability either by augmenting the packets with partial path information (i.e., packet marking) or by storing packet digests or signatures at intermediate routers (i.e., packet logging). Such approaches require either a large number of attack packets to be collected by the victim to infer the paths (packet marking) or a significant amount of resources to be reserved at intermediate routers (packet logging). We adopt a hybrid traceback approach in which packet marking and packet logging are integrated in a novel manner, so as to achieve the best of both worlds, that is, to achieve a small number of attack packets to conduct the traceback process and a small amount of resources to be allocated at intermediate routers for packet logging purposes. Based on this notion, two novel traceback schemes are presented. The first scheme, called distributed link-list traceback (DLLT), is based on the idea of preserving the marking information at intermediate routers in such a way that it can be collected using a link list-based approach. The second scheme, called probabilistic pipelined packet marking (PPPM), employs the concept of a "pipeline" for propagating marking information from one marking router to another so that it eventually reaches the destination. We evaluate the effectiveness of the proposed schemes against various performance metrics through a combination of analytical and simulation studies. Our studies show that the proposed schemes offer a drastic reduction in the number of packets required to conduct the traceback process and a reasonable saving in the storage requirement.     

基于合作过滤机制的ICMP回溯DDoS攻击源方法

提出一种改进的ICMP回溯方法。此方法是基于合作过滤机制的,采用合作过滤机制能够使产生的ICMP回溯包更有效并在尽可能靠近DDoS攻击源的地方过滤攻击包和保护合法包,改进后的ICMP方法对引发ITrace包的IP包从靠近攻击源的地方同步跟踪到受害者,提高了重构攻击路径的速度和准确性。     

基于多级CBF的长流识别

针对高速网络流量难测量的问题及长流占网络流量大部分的特点,提出一种基于多级CBF的长流识别算法,对报文进行抽样,将抽取的报文通过经过一系列哈希映射到长流信息表中,查找是否存在该流信息,若存在则更新流信息,若不存在则将该报文用多级CBF结构对流信息进行过滤,报文数达到阈值的流被识别为长流,并在长流信息表中创建和维护该长流的信息.该算法在很大程度上减少了短流因为哈希冲突而被误判为长流的概率,降低了资源开销,对指定报文数为阈值的长流识别具有很好的扩展性.     

基于自适应包标记的IP源追踪方案

防御分布式拒绝服务(DDoS)攻击是当前网络攻击研究的重要课题,本文提出了一种DDoS攻击追踪方案的构想,在自适应包标记理论的基础上,提出了新的改进算法,该方案利用了TTL域和并提出了一种伸缩性的包标记策略,可以通过更少的数据包更快的定位出攻击源。同以往方法比较,该算法的灵活性好,并且误报率很低。经仿真实验证明该系统用较少的数据包即追踪IP源,最大限度的减少了攻击带来的损失。